Closed Bug 926937 Opened 11 years ago Closed 11 years ago

set up a weekly report of machines and people with releng vpn loaner access

Categories

(Infrastructure & Operations :: Infrastructure: LDAP, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: Callek, Assigned: jabba)

References

Details

Attachments

(2 files)

+++ This bug was initially created as a clone of Bug #834866 +++

(original c#0 at end)

Similar to the original weekly report, I'd love if we had a weekly report of *users* with releng_vpn_loan and *machines* with same group.

This will help us audit if we forgot to remove a machine, or if we forgot to remove a user from the group when we want.

Ideally we'd also eventually make this report machine auditable but thats not desired for this first pass.

---------------------------------
original c#0 follows
---------------------------------

A few us were talking on IRC about how it would be nice to be able to audit the list of people with RelEng network access from time to time. The overall list is very big (all of IT, all of RelEng, plus people with temporary access). Dustin suggested that we may be able to get a weekly report of the latter group of users, is this possible? If so, it should be sent to release@mozilla.com.

16:02 < bhearsum> in the blue sky world it would be nice to have a list of everyone with access minus releng+IT -- that would be the list that we want to audit from time 
                  to time
16:02 < arr> the infra team might be able to tell you how to get that
16:02 < arr> I'm not sure there's any differentiation between releng and not releng, though
16:03 < arr> it's just an LDAP bit
16:03 < dustin> cn=releng is a different group
16:03 < dustin> you could subtract them
16:03 < dustin> I bet one of the LDAP gurus could whip up a query for that
Summary: set up a weekly report of non-IT and non-releng people with releng vpn access → set up a weekly report of machines and people with releng vpn loaner access
Assignee: infra → jdow
This patch should make this script replace the existing weekly report with a new report that gives the list of members of the vpn_releng_loan group, as well as the hosts in that group.

My understanding is that this should replace the existing script, if it is intended to exist in conjunction with the largely deprecated buildteam script, let me know and I'll copy, rather than update.
Attachment #826791 - Flags: review?(rsoderberg)
Attachment #826791 - Attachment is patch: true
Comment on attachment 826791 [details] [diff] [review]
Patch to modify the script to show the contents of vpn_releng_loan instead of buildteam

Review of attachment 826791 [details] [diff] [review]:
-----------------------------------------------------------------

r+, should work fine. Please fix Subject, review destination email address before deploying.

::: releng_vpn_report.sh.erb
@@ +6,3 @@
>  BIND_USER="uid=<%= scope.function_hiera(['secrets_openvpn_bind_username']) %>,ou=logins,dc=mozilla"
>  BIND_PASSWORD="<%= scope.function_hiera(['secrets_openvpn_bind_password']) %>"
>  LDAP_HOST="ldap.db.scl3.mozilla.com"

Consider using $::ldapvip instead.

@@ +10,2 @@
>  LDAP_BASE="dc=mozilla"
>  MAILADDRESS="release@mozilla.com"

Is this the desired mail address?

@@ +30,5 @@
>  (
>      IFS=$'\n'
> +    echo "${all_users[*]}" | grep -x -F "${members[*]}" | grep -v -x -F "${admins[*]}" | sort -u
> +    echo "${hosts[*]}"
> +) | mail -s "Weekly Report of Releng VPN Users" $MAILADDRESS

This looks correct, as long as testing confirms the desired output.

Consider adding "echo # Users" and "echo # Hosts" or similar headings and maybe a line of whitespace between the two.

Subject is incorrect, suggest "Weekly Report of Releng Loaner VPN Users/Hosts".
Attachment #826791 - Flags: review?(rsoderberg) → review+
(In reply to Justin Dow [:jabba] from comment #1)
> My understanding is that this should replace the existing script, if it is
> intended to exist in conjunction with the largely deprecated buildteam
> script, let me know and I'll copy, rather than update.

Spoke with the buildduty team (incl. coop) and the consensus is that this is entirely accurate. We can obsolete the old script and use this new one.

Thank You.
I've made the suggested changes in comment 2 and deployed the script. I moved the origin host for this e-mail from the old releng vpn server to the new openvpn1.corpdmz server. Please look for the new e-mail over the next week (runs from cron.weekly) and confirm things are working properly.

Thanks!
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
(I like this improvement, thanks for doing this!)

Reopening, because today was first day we saw this change in production, and some user/machine names are being truncated. Its most enough that a human can reconstruct the full name... but having the complete name makes life *much* simpler for buildduty to copy+paste in a rush. 

Can this be fixed?

Example below:
...
10.12.49.138 # talos-r3-fed-011.build.scl1.mozilla.com
10.12.51.54 # talos-r4-snow-026.build.scl1.mozilla.com
10.12.52.99 # talos-r4-lion-089.build.scl1.mozilla.com
10.132.56.162 # tst-linux32-ec2-mdas.test.releng.usw2.mozilla.co
10.134.52.40 # dev-linux64-ec2-yurenju1.dev.releng.use1.mozilla.
10.134.53.184 # dev-bld-linux64-ec2-hverschore.dev.releng.use1.m
10.134.53.57 # dev-linux64-ec2-yeukhon.dev.releng.use1.mozilla.c
10.134.53.91 # dev-bld-linux64-ec2-dminor.dev.releng.use1.mozill
10.134.56.223 # tst-linux64-ec2-dburns.test.releng.use1.mozilla.
10.134.56.28 # dev-tst-linux64-ec2-eflores.test.releng.use1.mozi
10.134.56.91 # dev-tst-linux64-ec2-graydon.test.releng.use1.mozi
...
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Jabba, can you test this and make sure it works as expected?
Attachment #8341899 - Flags: review?(jdow)
Attachment #8341899 - Flags: review?(jdow) → review+
Comment on attachment 8341899 [details] [diff] [review]
unwrap the ldapsearch output before processing it

Testing complete, committed the fix.
Attachment #8341899 - Flags: checked-in+
I'm going to RESO FIXE this in light of testing results, but please feel free to reopen as needed if the fix isn't working right in tomorrow's report.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: